A pathological case of huffman coding that uses 8 bits to code each of 256

symbols could cause an unsigned char limit[8] to wrap back to 0, setting
limit to -1 and making the decompressor exit with a data error.

diff --git a/lib/bunzip.c b/lib/bunzip.c
index f923b0c..ae84289 100644 (file)
--- a/lib/bunzip.c
+++ b/lib/bunzip.c
@@ -204,8 +204,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw)
        // literal symbols, plus two run symbols (RUNA, RUNB)
        symCount = bd->symTotal+2;
        for (jj=0; jj<bd->groupCount; jj++) {
-               unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
-               int     minLen, maxLen, pp;
+               unsigned char length[MAX_SYMBOLS];
+               unsigned temp[MAX_HUFCODE_BITS+1];
+               int minLen, maxLen, pp;
 
                // Read lengths
                hh = get_bits(bd, 5);